I left the University of Pennsylvania where I had a career for 15 years, most of which was in the Office of Information Security. I found it was time to build my own business doing what I love, hacking shit. All day all night.
Once I made the announcement that I had left Penn I was contacted by NUMEROUS security companies. One such company was Rhino Security Labs. Ben Caudill, the founder of the company, had approached me about possibly doing some contract work which would likely lead to being hired full time as Senior Security Consultant for the PA branch (new) of Rhino Security Labs. This was a very enticing offer of course. So, I took it. I decided to put my own company on hold which I deeply regret.
Anyways, I began doing what I do which is finding things that other people can’t find. Things that have been sitting there for a decade or more. Things that are actually right in front of your face but you don’t see it. I came behind a Foundstone pentest once and no, I can’t talk about what I found.
I am well known in the security community when it comes to Oracle Reports as I discovered a couple of horrific vulnerabilities back in 2011-2012. In fact, I became so intimate with Oracle Reports that the very thought of this application made me cringe. Especially the data being exposed which people didn’t even realize was exposed.
So, I logged into my Shodan account and searched for some Oracle Servers. This is BEFORE I actually worked for Rhino Security Labs! I found the Texas Department of Family and Protective Services Exposure. Ben saw the potential in this and asked if they could put the Rhino Security Labs name on it and put me on staff. I agreed. However, it ended up being an EPIC MISTAKE! A mistake that actually makes me panic about my own livelihood. My research was basically usurped and all news reported only mentions Ben Caudill and Bryan Seely outside of one vague mention of me as their Lead Researcher. This INFURIATED ME! Bryan Seely had told me I was going to be interviewed by CNN only later to find out I wasn’t. He forgot to tell me. WTF! I had already found a place to do the interview while Bryan already knew I was not going to be interviewed. Didn’t tell me shit. In fact, They often “forgot” to tell me a lot of things. I felt like a paper clip or a stapler sitting in their office. They had what they wanted, One of the biggest breaches of the year.
The breach I FOUND before I worked at their company. MY FUCKING RESEARCH! And my name is not even on it. This directly abuses my ability to survive and I was super upset and I let them know about it.
BTW, Bryan Seely (themapsguy) who wishes he had the skills I have told me he would mentor me. LOL. I would love to see Bryan do an actual Pentest. The results would be hilarious. With all the “my name not tied to my own research” Bryan was the one handling it. He seems like a “me me me” person. Ben agrees and said he needed to be dealt with. But the shit kept happening.
So, that is what happened. This morning I sent an email to apologize for how I reacted (it was pretty fucked up) and got no response. I sent Ben a text and he said he was in a meeting. Waited and sent him a text asking if I am still at Rhino, not response. So, I sent a text saying I resign. He happily accepted it. After all, look at what his company accomplished by “not discovering” shit to do with Oracle.
Buyer beware. I am about honesty and people I work with in the community know this.